CMMC Compliance Guide 2026 What DoD Contractors Need to Know

1. What Is CMMC and Why Does It Exist

CMMC stands for Cybersecurity Maturity Model Certification. It is a Department of Defense program that requires defense contractors and subcontractors to verify their cybersecurity practices through assessment rather than simple self-attestation. The DoD launched CMMC in response to years of evidence that defense contractors were claiming compliance with existing requirements such as DFARS 252.204-7012 without actually implementing the required controls. Nation-state adversaries, particularly those affiliated with China and Russia, exploited these gaps to steal controlled technical data and intellectual property from the defense industrial base.

CMMC 2.0, the current version as of 2026, was published in the Federal Register in December 2024. It simplified the original five-level model to three levels and aligned Level 2 directly with NIST SP 800-171 Revision 2 (110 controls) rather than introducing a separate control set. Level 3 adds selected controls from NIST SP 800-172. The final rule means CMMC requirements can now appear in DoD solicitations and contracts.

Key Terms

• CUI (Controlled Unclassified Information): Federal information requiring safeguarding per Executive Order 13556. If your contract involves CUI, CMMC Level 2 applies.
• FCI (Federal Contract Information): Information provided or generated under a federal contract that is not public. FCI triggers Level 1.
• CMMC 2.0: The current rule, effective December 16, 2024. Three levels instead of five. Self-assessment permitted at Level 1; third-party C3PAO assessment required at Level 2 (most contracts).
• DIB (Defense Industrial Base): The network of companies that provide goods and services to the DoD. CMMC applies to every company in the DIB that handles FCI or CUI.
• SPRS (Supplier Performance Risk System): The DoD portal where contractors post their self-assessed NIST 800-171 score (used at Level 1 and during Level 2 preparation).

2. CMMC and the DFARS Clause Framework

CMMC does not replace the existing DFARS cybersecurity clauses; it adds a verification layer on top of them. Understanding which clauses apply to your contracts is the first step in determining your CMMC obligations.

When DFARS 252.204-7021 appears in a contract or solicitation, your company must hold a valid CMMC certificate at the specified level before award. This is the enforcement mechanism that makes CMMC real. Once your prime contract requires CMMC Level 2, you must also ensure any subcontractors handling CUI on your behalf achieve the same level.

For a deeper look at the underlying control standard, see our guide to NIST SP 800-171 compliance.

3. CMMC Level 1, Level 2, and Level 3 Explained

CMMC 2.0 has three levels. The level required for a specific contract is determined by the type of information involved and the sensitivity of the program. Most defense contractors pursuing any CUI-bearing contract need Level 2.

Determining which level applies requires reading the specific DFARS clauses and any CMMC requirements listed in the solicitation or contract. When in doubt, contact the contracting officer or consult a CMMC Registered Practitioner.

4. The 110 Practices of CMMC Level 2: All 14 Domains

CMMC Level 2 maps directly to the 110 security requirements in NIST SP 800-171 Rev 2. These requirements are organized into 14 security domains (referred to as "families" in the NIST publication). Every requirement in every domain must be implemented and documented. Below is a brief summary of each domain and what it covers.

The full text of all 110 requirements is in NIST SP 800-171 Rev 2, available at nvlpubs.nist.gov. The DoD's official CMMC assessment guides (CAPs) at dodcio.defense.gov provide the specific assessment objectives assessors use to evaluate each practice.

5. How CMMC Certification Works: C3PAO, RPO, and Assessor Roles

CMMC Level 2 certification requires a formal assessment conducted by an authorized third-party organization. The ecosystem involves several types of accredited entities with distinct roles. Understanding who does what prevents contractors from paying for the wrong type of service.

CMMC Third-Party Assessment Organization (C3PAO)

A C3PAO is a company authorized by the Cyber AB (CMMC Accreditation Body) to conduct official CMMC Level 2 assessments. When your assessment is complete and you pass, the C3PAO submits your results to the CMMC Enterprise Mission Assurance Support Service (eMASS), which generates your certificate stored in the Supplier Performance Risk System (SPRS). Only a C3PAO can issue a CMMC Level 2 certificate. A list of authorized C3PAOs is maintained at cyberab.org/marketplace.

Registered Practitioner Organization (RPO)

An RPO like Petronella Technology Group is authorized to provide CMMC advisory services, gap assessments, remediation support, SSP authoring, and readiness preparation. An RPO works with a contractor to get them ready for the C3PAO assessment. An RPO cannot conduct the official assessment or issue a certificate. This separation is by design: the entity that prepares you cannot be the entity that certifies you.

Registered Practitioner (RP)

An RP is an individual certified by the Cyber AB to provide CMMC advisory services within an RPO. Petronella Technology Group's team includes Craig Petronella (CMMC-RP), Blake Rea (CMMC-RP), Justin Summers (CMMC-RP), and Jonathan Wood (CMMC-RP). When working with an RPO, look for named RPs on deliverables.

CMMC Certified Assessor (CCA) and Lead Assessor (CCLA)

CCAs and CCLAs are individuals who work for or contract with C3PAOs to conduct the official assessments. They must pass Cyber AB certification and maintain their credentials. You will interact with CCAs during your C3PAO assessment.

What the Assessment Process Looks Like

A Level 2 C3PAO assessment typically follows this sequence:

1. Pre-assessment scoping: The C3PAO reviews your SSP and scoping documentation to understand your CUI environment and confirm which systems are in scope.
2. Document review: Assessors review your policies, procedures, SSP, POA&M, system inventories, and configuration documentation.
3. Interviews: Assessors interview system administrators, security personnel, and end users to verify that documented practices match actual behavior.
4. Technical testing: Assessors examine system configurations, log samples, network diagrams, MFA setups, and encryption implementations.
5. Finding discussion: The assessor team reviews findings with your team before finalizing. You can provide additional evidence for items initially marked as not met.
6. Final report and submission: The C3PAO submits results to eMASS. If you pass, your CMMC certificate is created in SPRS. If deficiencies remain, you may pursue conditional CMMC status with an approved POA&M.

For a detailed look at what our readiness work includes before the C3PAO assessment, see our CMMC consulting and readiness services page.

6. CMMC 2.0 Phased Rollout Timeline

CMMC requirements are being phased into DoD solicitations and contracts incrementally, not all at once. The final rule went into effect December 16, 2024. Here is what the rollout looks like through 2028:

Most contractors pursuing new DoD contracts in 2026 should treat CMMC Level 2 with C3PAO assessment as the operative requirement. The exceptions are narrowing. Starting preparation early matters because the path from gap assessment to C3PAO-ready typically takes 6 to 18 months depending on the starting security posture and the complexity of your CUI environment.

Typical Timeline: Gap to Certified

Every engagement is different, but the following represents a common trajectory for a small to mid-size defense contractor with 25-250 employees:

1. Month 1-2: Gap assessment and scoping. Identify current vs. required state across all 110 practices. Document the CUI boundary. Calculate the SPRS score delta.
2. Month 2-6: Remediation. Implement missing controls. Priority order is typically: MFA, FIPS encryption, audit logging, access control policies, configuration management, incident response plan, and SSP completion.
3. Month 6-10: Documentation and evidence collection. Complete the System Security Plan. Build the POA&M for residual gaps. Create the required policy documentation set across all 14 domains. Organize evidence artifacts.
4. Month 10-12: Pre-assessment readiness review. A mock C3PAO assessment conducted by the RPO to identify any remaining gaps before the official assessment.
5. Month 12-18: C3PAO assessment and certification. Official assessment with the C3PAO. Address any findings. Receive conditional CMMC status if applicable. Achieve full certification upon POA&M closure.

7. POA&M Rules and Conditional CMMC Status

A Plan of Action and Milestones (POA&M) is a document that identifies security weaknesses, the resources required to fix them, and the scheduled completion dates. CMMC 2.0 allows a limited use of POA&Ms at Level 2, which represents a significant change from earlier drafts of the rule where all 110 controls had to be fully implemented before assessment.

What POA&M Allows Under CMMC 2.0

• A contractor may receive conditional CMMC status (a time-limited certificate) if the C3PAO assessment finds deficiencies in a limited number of practices, provided none of the deficiencies involve specific high-priority practices.
• The POA&M closure period is 180 days from the date of the conditional certificate. All POA&M items must be closed and a closeout assessment completed within that window.
• Certain practices are excluded from POA&M eligibility, meaning they must be fully met at the time of the C3PAO assessment. These include multi-factor authentication requirements, FIPS-validated cryptography, and other high-priority controls specified by the DoD.
• A practice with a weighting of 5 points or more in the NIST 800-171 scoring methodology cannot be on the POA&M unless it meets specific conditions.

Strategic Implications

POA&M availability does not mean you can arrive at a C3PAO assessment with 40 open gaps and expect a conditional certificate. The rules are narrow. The best approach is to close as many gaps as possible before the assessment and use the POA&M only for residual, lower-weighted items where implementation requires longer technical timelines. An experienced CMMC practitioner will help you sequence remediation to maximize the likelihood of full certification at the first assessment attempt.

The DoD reserves the right to revoke conditional certificates if POA&M items are not closed within the 180-day window. An expired conditional certificate means the contractor can no longer perform on contracts requiring CMMC until a new assessment is completed.

8. What CMMC Compliance Costs

There is no single cost for CMMC compliance because the investment depends on how far away from compliant a contractor is today, how complex the CUI environment is, and how much internal IT capacity exists. That said, we can describe the cost components and typical ranges based on publicly available DoD cost estimates and common patterns in practice.

Cost Components

• Gap assessment and scoping: Typically conducted by an RPO. Includes review of existing controls, documentation, and CUI flow mapping. This defines the scope of remediation work ahead.
• Remediation: Technology purchases (MFA solutions, FIPS-compliant encryption, endpoint detection and response, SIEM, secure email), implementation labor, and configuration work. This is the largest variable cost and depends heavily on the starting state.
• Documentation and SSP authoring: Creating the System Security Plan, policies across all 14 domains, procedures, and the evidence artifact library. Labor-intensive but not hardware-dependent.
• C3PAO assessment fee: Paid directly to the C3PAO. The DoD's own cost estimates have ranged from approximately $30,000 to $100,000+ for a Level 2 assessment depending on organization size and scope complexity.
• Ongoing maintenance: Annual affirmation, continuous monitoring, vulnerability management, and preparation for the triennial reassessment. Typically an annual recurring cost.

The Cost of Not Complying

A contractor that cannot demonstrate CMMC Level 2 when required by the solicitation cannot bid on or perform on that contract. For companies with significant DoD revenue, the cost of non-compliance is contract loss. Additionally, false statements in DoD certifications can trigger False Claims Act liability, which carries civil penalties up to three times the value of the affected contracts.

The DoD's Regulatory Impact Analysis, published with the final rule, estimated average first-year compliance costs by company size. Small businesses in the 50-person range can expect first-year total costs (including C3PAO assessment) in the range of $100,000 to $300,000, with ongoing annual costs significantly lower. These are DoD estimates; actual costs vary widely.

9. Common CMMC Compliance Failures

After working with defense contractors on CMMC readiness since the program's early development, we see the same technical and organizational gaps consistently. Here are the most common compliance failures and what they mean in practice.

10. Frequently Asked Questions